Cybersecurity and the Internet of Things

At work your smart phone buzzes with an alert: You’re out of milk, but beware of heavy traffic on the road to the local grocery store.

Software and hardware developers are pushing us toward that reality – one where almost anything can communicate through a network to provide consumers with information.

They call it the Internet of Things (IoT), and the Pew Research Center’s Internet and American Life Project predicts that soon, items as diverse as milk cartons and roadways, will be interconnected. Finance firm Morgan Stanley predicts that by 2020, 75 billion devices will be part of it.

Manufacturers also believe the IoT can help their machines communicate with each other, decreasing downtime and improving productivity.

But there’s a potential downside: Hackers can gain access to the data for nefarious purposes.

As Michael Daly, Raytheon’s chief technology officer for cybersecurity and special missions puts it: “Experience tells us that when everything is connected, everything is vulnerable.”

Raytheon and other aerospace and defense companies, such as Boeing, Lockheed Martin, and Northrop Grumman, are heavily involved in cybersecurity – it’s a rapidly growing part of their business.

Proof that data can be hijacked is abundant in recent events where confidential details of customer credit card transactions were stolen from several major retailers. A report issued in September revealed that 43% of firms in the U.S. had experienced a data breach in the past year. One of the worst instances was a data breach at one of the largest global financial institutions where information from 76 million households and 7 million small businesses was compromised.

With the data-intensive IoT, the threat could expand to include power grids, self-driving cars, UAVs, airplanes, and many more systems that require secure command and control.

What is the risk to manufacturing and the various machines that may be interconnected?

The Stuxnet computer worm famously infiltrated the programmable logic controllers of Iran’s uranium enrichment centrifuges and damaged them by altering their speed while falsely indicating all was normal.

From what I could discover, a cyber attack is less likely to affect a well-supervised CNC machining center. A compromised CAD/CAM program would quickly show results of sabotage in ruined parts. But a shop owner’s inclusive IoT network could put confidential intellectual property, operations information, and legal and planning documents at risk.

Already there have been instances where smart home appliances connected to the Internet have been tricked into sending malicious email. Checking a refrigerator from a work laptop could conceivably infect it and a business’ network, opening the door to hackers.

Industry is taking steps to define IoT security standards, and several helpful guides aimed at preventing cyber attacks in general are available online.

Recommendations from several sources include such basics as training employees to be wary of socially engineered emails that invite readers to click on a malicious file, limiting and authenticating network access, and providing incident response procedures to mitigate breaches.

Boeing prepared a 112-page guide for the National Institute of Standards and Technology in 2013 to help companies develop a framework to improve critical infrastructure cybersecurity. It defines terms and lists a slew of best practices. A pdf file is available at http://1.usa.gov/1uGWBsa.

What steps have you taken toward better cybersecurity?

Let me know at ebrothers@gie.net. – Eric